Fixed security vulnerabilities in Dependencies.
Updated to Spring Cloud Gateway 2024.0 and Spring-Boot-Starter-Parent 3.4.1.
Updated DockerImage to Java 17.0.13.

We just updated dependencies that had vulnerabilities.

We've updated a few dependencies and the docker image to close a few vulnerabilities.

We now require Java 17 to run because we updated SpringBoot and the Spring Cloud Gateway to current versions:

• Requires Java 17
• Updated To Spring-Cloud 2023.0.0
• Updated To Spring Boot 3.2.1
• dependency Updates to fix security issues
• Fixed an issue with Secondary Trace-Header (where in the simple trace case an invalid header of "n/a" was tried to be added to downstream requests.
• Minor Documentation Updates

Note: There are new WARN log entries of Type: "...is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor...". These are related to SpringBoot 3.2.1 and a known issue (spring-cloud/spring-cloud-commons#1315)

What's Changed

Just upgraded some dependencies to reduce vulnerabilities.

• [Snyk] Upgrade com.nimbusds:nimbus-jose-jwt from 9.21 to 9.31 by @snyk-bot in #127
• [Snyk] Upgrade io.netty:netty-codec from 4.1.86.Final to 4.1.91.Final by @snyk-bot in #129

Full Changelog: v0.5.1...v0.5.2

Upgraded dependencies for vulnerability mitigation.
Improved Key-Rotation and made some configuration changes

What's Changed

• Making Rotation test more robust by @Padi-owasp in #93
• Added support for configuration file via https by @gianlucafrei in #95
• renamed enableUnsafeHttps -> enableUnsafeHttp. by @Padi-owasp in #96
• Adjust container runtime by @bt-nia in #98
• Fix/dependencies by @Padi-owasp in #101
• Fix/dependencies by @Padi-owasp in #107
• [Snyk] Upgrade com.nimbusds:nimbus-jose-jwt from 9.20 to 9.21 by @snyk-bot in #108
• moved to in mem only random key for cookie encryption by @Padi-owasp in #109
• [Snyk] Upgrade com.github.ben-manes.caffeine:caffeine from 3.0.5 to 3.0.6 by @snyk-bot in #110
• [Snyk] Upgrade com.nimbusds:oauth2-oidc-sdk from 9.27.1 to 9.31 by @snyk-bot in #111
• updated spring boot/cloud by @Padi-owasp in #116
• fix dependencies in pom and update docker image. by @Padi-owasp in #118
• [Snyk] Upgrade com.github.ben-manes.caffeine:caffeine from 3.0.6 to 3.1.3 by @snyk-bot in #120
• [Snyk] Upgrade com.nimbusds:nimbus-jose-jwt from 9.21 to 9.22 by @gianlucafrei in #115
• [Snyk] Upgrade com.nimbusds:oauth2-oidc-sdk from 9.31 to 9.43.1 by @snyk-bot in #119
• Updated pom and container by @Padi-owasp in #125
• Fixing dependencies / vulnerabilities by @Padi-owasp in #126

New Contributors

• @bt-nia made their first contribution in #98

Full Changelog: v0.5.0...v0.5.1

New Functionality 🎉:

OAG can now be used as Spring library with the @EnableOWASPApplicationGateway annotation
Added possibility for federated logout
Updated default user-mapping configuraion
Added additional mappings to the GitHub login provider

Minor Improvements:

Implemented check if hostUri from config is a valid uri
Added missing log when ResponseStatusException is thrown
Added origin header validation as a defense-in-depth measure for csrf-samesite-cookie validation
Changed log level of some log messages to debug to have cleaner logs

Fixes:

Fixed a open-redirect vulnerability during login

Internal:

Added caffein ache to classpath (Spring Cloud Gateway asked for it in a warn log)
Added kotlin support for jackson (Not really used, but removes the warn message during startup)
Moved main configuration validation to spring main method to reduce problems with circular bean dependencies
Upgraded dependencies to newest version

New Functionality:

• OAG can now be used as Spring library with the @EnableOWASPApplicationGateway annotation
• Added possibility for federated logout
• Updated default user-mapping configuraion
• Added additional mappings to the GitHub login provider

Minor Improvements:

• Implemented check if hostUri from config is a valid uri
• Added missing log when ResponseStatusException is thrown
• Added origin header validation as a defense-in-depth measure for csrf-samesite-cookie validation
• Changed log level of some log messages to debug to have cleaner logs

Fixes:

• Fixed a open-redirect vulnerability during login

Internal:

• Added caffein ache to classpath (Spring Cloud Gateway asked for it in a warn log)
• Added kotlin support for jackson (Not really used, but removes the warn message during startup)
• Moved main configuration validation to spring main method to reduce problems with circular bean dependencies
• Upgraded dependencies to newest version